buffer: coerce slice parameters consistenly #9101
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
the
buffer
cjihrig
reviewed
Oct 14, 2016
| @@ -807,7 +807,7 @@ Buffer.prototype.toJSON = function() { | |||
|
|
|||
|
|
|||
| function adjustOffset(offset, length) { | |||
| offset = +offset; | |||
| offset = ~~offset; | |||
There was a problem hiding this comment.
It looks like | 0 is used more frequently than ~~ throughout the lib/ code.
There was a problem hiding this comment.
@cjihrig Sure. Changed it now.
thefourtheye
force-pushed
the
make-buffer-slice-offset-integer
branch
from
17bcccd
to
6929c09
Compare
jasnell
reviewed
Oct 14, 2016
| @@ -807,7 +807,7 @@ Buffer.prototype.toJSON = function() { | |||
|
|
|||
|
|
|||
| function adjustOffset(offset, length) { | |||
| offset = +offset; | |||
| offset = offset | 0; | |||
There was a problem hiding this comment.
extremely minor nit... offset |= 0; is even more concise ;-)
targos
approved these changes
Oct 14, 2016
| { | ||
| // Test included in https://github.com/nodejs/node/issues/9096 | ||
| // If the offset or ending value provided is a floating point number, it | ||
| // should be coerced to integer consistenly. Otherwise the actual length of |
thefourtheye
force-pushed
the
make-buffer-slice-offset-integer
branch
from
6929c09
to
94d3642
Compare
mscdex
reviewed
Oct 14, 2016
| @@ -807,7 +807,7 @@ Buffer.prototype.toJSON = function() { | |||
|
|
|||
|
|
|||
| function adjustOffset(offset, length) { | |||
| offset = +offset; | |||
| offset |= 0; | |||
| if (offset === 0 || Number.isNaN(offset)) { | |||
There was a problem hiding this comment.
The Number.isNaN(offset) portion of this conditional should be able to be removed with this change since | will cause invalid inputs to always be zero (whereas + will not).
addaleax
approved these changes
Oct 14, 2016
| // the slice calculation will be messed up. | ||
| const original = Buffer.from('1234567890ABCDEFG', 'ascii'); | ||
| const chunk1 = original.slice(0, original.length / 3); | ||
| const chunk2 = original.slice(original.length / 3, 17); |
There was a problem hiding this comment.
nit: 17 can probably be original.length.
mscdex
reviewed
Oct 15, 2016
| // Test included in https://github.com/nodejs/node/issues/9096 | ||
| // If the offset or ending value provided is a floating point number, it | ||
| // should be coerced to integer consistently. Otherwise the actual length of | ||
| // the slice calculation will be messed up. |
There was a problem hiding this comment.
This comment seems a little confusing to me. The offsets are consistently converted to integers (in C++). The real problem is that the end value is calculated in javascript land before it gets passed to C++. If the length calculation (used to determine end) was done inside C++ this wouldn't be an issue.
It's also possible to use floating point numbers with slice() and still get a reasonable result. The only time it becomes an issue is when the end argument is not supplied and start is a floating point number.
There was a problem hiding this comment.
You mean to say the slice implementation would be better done in C++?
Honestly, I would prefer to throw an error if the input is not an integer, which would avoid all this.
There was a problem hiding this comment.
I removed the text in the comments now and improved the commit log a little.
thefourtheye
force-pushed
the
make-buffer-slice-offset-integer
branch
from
94d3642
to
e648180
Compare
As shown in nodejs#9096, the offset and end value of the `slice` call are coerced to numbers and then passed to `FastBuffer`, which internally truncates the mantissa part if the number is actually a floating point number. This actually affects the new length of the slice calculation. For example, > const original = Buffer.from('abcd'); undefined > original.slice(original.length / 3).toString() 'bc' This happens because, starting value of the slice is 4 / 3, which is 1.33 (approximately). Now, the length of the slice is calculated as the difference between the actual length of the buffer and the starting offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is constructed, with the following values as parameters, 1. actual buffer object, 2. starting value, which is 1.33 and 3. the length 2.67. The underlying C++ code truncates the numbers and they become 1 and 2. That is why the result is just `bc`. This patch makes sure that all the offsets are coerced to integers before any calculations are done. Fixes: nodejs#9096
thefourtheye
force-pushed
the
make-buffer-slice-offset-integer
branch
from
e648180
to
9fc562c
Compare
|
LGTM if CI is ok with it: https://ci.nodejs.org/job/node-test-pull-request/4526/ |
fhinkel
approved these changes
Oct 16, 2016
cjihrig
approved these changes
Oct 16, 2016
|
For any gage how this should work, would be most similar to |
|
@trevnorris String's slice also works like this only > const str = "abcd"
undefined
> str.slice(str.length / 3)
'bcd'
> str.slice(str.length / 3, str.length)
'bcd' |
|
What would the semver-iness of this change be? |
|
I think it's a bugfix. |
|
@jasnell I'd classify it as a bug fix, but if anything substantial relies on the old behavior a lot of angry people could show up :-P |
|
+1 for a bugfix. |
|
+1 to considering this a bugfix, too. CITGM to account for the “but if anything substantial relies on the old behavior” part: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/425 |
rvagg
force-pushed
the
master
branch
2 times, most recently
from
c133999
to
83c7a88
Compare
|
Landing as a semver-patch! |
jasnell
pushed a commit
that referenced
this pull request
Oct 18, 2016
As shown in #9096, the offset and end value of the `slice` call are coerced to numbers and then passed to `FastBuffer`, which internally truncates the mantissa part if the number is actually a floating point number. This actually affects the new length of the slice calculation. For example, > const original = Buffer.from('abcd'); undefined > original.slice(original.length / 3).toString() 'bc' This happens because, starting value of the slice is 4 / 3, which is 1.33 (approximately). Now, the length of the slice is calculated as the difference between the actual length of the buffer and the starting offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is constructed, with the following values as parameters, 1. actual buffer object, 2. starting value, which is 1.33 and 3. the length 2.67. The underlying C++ code truncates the numbers and they become 1 and 2. That is why the result is just `bc`. This patch makes sure that all the offsets are coerced to integers before any calculations are done. Fixes: #9096 PR-URL: #9101 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
|
Landed in ee14690 |
jasnell
pushed a commit
that referenced
this pull request
Oct 18, 2016
As shown in #9096, the offset and end value of the `slice` call are coerced to numbers and then passed to `FastBuffer`, which internally truncates the mantissa part if the number is actually a floating point number. This actually affects the new length of the slice calculation. For example, > const original = Buffer.from('abcd'); undefined > original.slice(original.length / 3).toString() 'bc' This happens because, starting value of the slice is 4 / 3, which is 1.33 (approximately). Now, the length of the slice is calculated as the difference between the actual length of the buffer and the starting offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is constructed, with the following values as parameters, 1. actual buffer object, 2. starting value, which is 1.33 and 3. the length 2.67. The underlying C++ code truncates the numbers and they become 1 and 2. That is why the result is just `bc`. This patch makes sure that all the offsets are coerced to integers before any calculations are done. Fixes: #9096 PR-URL: #9101 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
jasnell
pushed a commit
that referenced
this pull request
Oct 19, 2016
As shown in #9096, the offset and end value of the `slice` call are coerced to numbers and then passed to `FastBuffer`, which internally truncates the mantissa part if the number is actually a floating point number. This actually affects the new length of the slice calculation. For example, > const original = Buffer.from('abcd'); undefined > original.slice(original.length / 3).toString() 'bc' This happens because, starting value of the slice is 4 / 3, which is 1.33 (approximately). Now, the length of the slice is calculated as the difference between the actual length of the buffer and the starting offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is constructed, with the following values as parameters, 1. actual buffer object, 2. starting value, which is 1.33 and 3. the length 2.67. The underlying C++ code truncates the numbers and they become 1 and 2. That is why the result is just `bc`. This patch makes sure that all the offsets are coerced to integers before any calculations are done. Fixes: #9096 PR-URL: #9101 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
|
@jasnell Did my comment about introducing another bug by using |
|
@trevnorris it looks like there is a good chance of that. What comment are you referring to? This is the only old comment I'm seeing on this thread. |
trevnorris
reviewed
Oct 28, 2016
| @@ -807,11 +807,10 @@ Buffer.prototype.toJSON = function() { | |||
|
|
|||
|
|
|||
| function adjustOffset(offset, length) { | |||
| offset = +offset; | |||
| if (offset === 0 || Number.isNaN(offset)) { | |||
| offset |= 0; | |||
There was a problem hiding this comment.
If you want the floor then please use Math.floor(). Using | allows wrap around. One reason why + was used before.
There was a problem hiding this comment.
String's slice also works like this only
This fails edge cases. For example:
'abcdefg'.slice(-(-1 >>> 0) - 1) === 'abcdefg';
But as this currently stands offset will be coerced to 2 with the above example.
| return 0; | ||
| } | ||
| if (offset < 0) { | ||
| } else if (offset < 0) { |
There was a problem hiding this comment.
Here's where the problem lies. There's no range check before the int32 coercion. A large number could fail this.
| assert.strictEqual( | ||
| buf.slice(buf.length / 3, buf.length).toString(), | ||
| 'bcd' | ||
| ); |
There was a problem hiding this comment.
If we're making the change to operate like String#slice() then edge case tests should be included. e.g.:
const b = Buffer.from('abcdefg');
assert.strictEqual(b.slice(-(-1 >>> 0) + 1).toString(), b.toString());
|
@cjihrig oh shiet. this was my first time using the review thing before, and didn't realize I needed to properly submit it before the notes could be seen. just did, and that'll show the regression this introduced. |
|
The old "forgot to submit the review" problem. Got me on multiple PRs the first day I used it :-) |
3 tasks
|
@trevnorris reverted the |
cjihrig
added a commit
to cjihrig/node
that referenced
this pull request
Nov 5, 2016
This is a partial revert of 14d1a8a, which coerced the offset of Buffer#slice() using the | operator. This causes some edge cases to be handled incorrectly. This commit restores the old behavior, but converts offsets to integers using Math.trunc(). This commit does not revert any tests, and adds an additional regression test. Refs: nodejs#9096 Refs: nodejs#9101 PR-URL: nodejs#9341 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: Trevor Norris <trev.norris@gmail.com>
evanlucas
pushed a commit
that referenced
this pull request
Nov 7, 2016
This is a partial revert of 14d1a8a, which coerced the offset of Buffer#slice() using the | operator. This causes some edge cases to be handled incorrectly. This commit restores the old behavior, but converts offsets to integers using Math.trunc(). This commit does not revert any tests, and adds an additional regression test. Refs: #9096 Refs: #9101 PR-URL: #9341 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: Trevor Norris <trev.norris@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 18, 2016
As shown in #9096, the offset and end value of the `slice` call are coerced to numbers and then passed to `FastBuffer`, which internally truncates the mantissa part if the number is actually a floating point number. This actually affects the new length of the slice calculation. For example, > const original = Buffer.from('abcd'); undefined > original.slice(original.length / 3).toString() 'bc' This happens because, starting value of the slice is 4 / 3, which is 1.33 (approximately). Now, the length of the slice is calculated as the difference between the actual length of the buffer and the starting offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is constructed, with the following values as parameters, 1. actual buffer object, 2. starting value, which is 1.33 and 3. the length 2.67. The underlying C++ code truncates the numbers and they become 1 and 2. That is why the result is just `bc`. This patch makes sure that all the offsets are coerced to integers before any calculations are done. Fixes: #9096 PR-URL: #9101 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 18, 2016
This is a partial revert of 14d1a8a, which coerced the offset of Buffer#slice() using the | operator. This causes some edge cases to be handled incorrectly. This commit restores the old behavior, but converts offsets to integers using Math.trunc(). This commit does not revert any tests, and adds an additional regression test. Refs: #9096 Refs: #9101 PR-URL: #9341 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: Trevor Norris <trev.norris@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 19, 2016
As shown in #9096, the offset and end value of the `slice` call are coerced to numbers and then passed to `FastBuffer`, which internally truncates the mantissa part if the number is actually a floating point number. This actually affects the new length of the slice calculation. For example, > const original = Buffer.from('abcd'); undefined > original.slice(original.length / 3).toString() 'bc' This happens because, starting value of the slice is 4 / 3, which is 1.33 (approximately). Now, the length of the slice is calculated as the difference between the actual length of the buffer and the starting offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is constructed, with the following values as parameters, 1. actual buffer object, 2. starting value, which is 1.33 and 3. the length 2.67. The underlying C++ code truncates the numbers and they become 1 and 2. That is why the result is just `bc`. This patch makes sure that all the offsets are coerced to integers before any calculations are done. Fixes: #9096 PR-URL: #9101 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 19, 2016
This is a partial revert of 14d1a8a, which coerced the offset of Buffer#slice() using the | operator. This causes some edge cases to be handled incorrectly. This commit restores the old behavior, but converts offsets to integers using Math.trunc(). This commit does not revert any tests, and adds an additional regression test. Refs: #9096 Refs: #9101 PR-URL: #9341 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Brian White <mscdex@mscdex.net> Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Merged
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) #9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9735
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) #9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9735
MylesBorins
pushed a commit
that referenced
this pull request
Dec 6, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) #9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) #9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
#9586
PR-URL: #9735
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Dec 7, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
nodejs/node#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchan)
nodejs/node#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
nodejs/node#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
nodejs/node#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergstrom) nodejs/node#9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) nodejs/node#9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
nodejs/node#9586
PR-URL: nodejs/node#9735
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
imyller
added a commit
to imyller/meta-nodejs
that referenced
this pull request
Dec 7, 2016
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
nodejs/node#9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchan)
nodejs/node#9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
nodejs/node#9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
nodejs/node#9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergstrom) nodejs/node#9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) nodejs/node#9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
nodejs/node#9586
PR-URL: nodejs/node#9735
Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
make -j8 test(UNIX), orvcbuild test nosign(Windows) passesAffected core subsystem(s)
buffer
Description of change
As shown in #9096, the offset and
end value of the
slicecall are just coerced to numbers and thenpassed to
FastBuffer, which internally truncates the mantissa partif the number is actually a floating point number. This actually
affects the new length of the slice calculation. For example,
This happens because, starting value of the slice is 4 / 3, which is
1.33 (approximately). Now, the length of the slice is calculated as
the difference between the actual length of the buffer and the starting
offset. So, it becomes 2.67 (4 - 1.33). Now, a new
FastBufferisconstructed, with these values, actual buffer object, starting value
which is 1.33 and the the length 2.67. The underlying C++ code
truncates the numbers and they become 1 and 2. That is why the result
is just
bc.This patch makes sure that all the offsets are coerced to an integer.
Fixes: #9096
cc @nodejs/buffer